Alerting
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Alert setup

amirarsalan
Explorer
‎01-14-2020 06:36 AM

Hi all!
Need some help to setup an alert. I have created a alert but my issue is that the alert trigger all the time on the same results. My search is like this index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I only want once alert per campaign but now i get same alerts on same campaigns.

My setup is:
Earliest: -10m
Cron Expression: */5 * * * *
Trigger: Once
Throttle: 10 minutes

Someone who can help with this?

Tags (1)
0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 07:41 AM

Hi @gcusello
Here is my code search

index="" sourcetype="" Something went wrong when parsing a offer for campaign, result is falsy | dedup campaign.id

I can change the time. Anyway it stil gives me same alerts

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 06:43 AM

Hi @amirarsalan,
you have a ime period of 10 minutes and a frequency schedule of 5 minutes,this means that you use the same data two times in your alerts, could you reduce the time period or enlarge the frequency?
What's your trigger condition: could you share your search using Code Sample button (otherwise I cannot read your code)?

Ciao.
Giuseppe

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 08:05 AM

Hi @amirarsalan,
you Use case requires that the alert is triggered when you have results to the search or when the result is higher that a threeshold?

Ciao.
Giuseppe

0 Karma
Reply

amirarsalan
Explorer
‎01-14-2020 01:33 PM

Hi @gcusello
Yes that's correct. But the problem here is that I get same results on my search. So when the alert run the search I got the same results and then I receive the same alert after 10 minutes etc. I want alerts when I have new errors on new campaigns. So I want to receive 1 alert per campaign.id error. Now I get spammed of same alert every 10 minutes

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎01-14-2020 10:28 PM

Hi @amirarsalan,
you could write the result of the search (the Campaigns) in a lookup (using outputlookup command) or (better) in a summary index (using collect comand) and exclude them from your search.

Ciao.
Giuseppe

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

Data Management Digest – May 2026

Welcome to the May 2026 edition of Data Management Digest!   As your trusted partner in data innovation, the ...